test(browser): cover absolute escape paths

2026-05-30 17:26:53 +00:00 · 2026-02-14 13:14:12 +01:00
parent 8779ad7f98
commit ca70bb67bf
1 changed files with 28 additions and 0 deletions
--- a/src/browser/server.agent-contract-form-layout-act-commands.test.ts
+++ b/src/browser/server.agent-contract-form-layout-act-commands.test.ts
@@ -514,6 +514,15 @@ describe("browser control server", () => {
    expect(pwMocks.traceStopViaPlaywright).not.toHaveBeenCalled();
  });

+  it("trace stop rejects absolute path outside trace dir", async () => {
+    const base = await startServerAndBase();
+    const res = await postJson<{ error?: string }>(`${base}/trace/stop`, {
+      path: path.resolve("/", "pwned.zip"),
+    });
+    expect(res.error).toContain("Invalid path");
+    expect(pwMocks.traceStopViaPlaywright).not.toHaveBeenCalled();
+  });
+
  it("trace stop accepts in-root relative output path", async () => {
    const base = await startServerAndBase();
    const res = await postJson<{ ok?: boolean; path?: string }>(`${base}/trace/stop`, {
@@ -560,6 +569,15 @@ describe("browser control server", () => {
    expect(pwMocks.waitForDownloadViaPlaywright).not.toHaveBeenCalled();
  });

+  it("wait/download rejects absolute path outside downloads dir", async () => {
+    const base = await startServerAndBase();
+    const waitRes = await postJson<{ error?: string }>(`${base}/wait/download`, {
+      path: path.resolve("/", "pwned.pdf"),
+    });
+    expect(waitRes.error).toContain("Invalid path");
+    expect(pwMocks.waitForDownloadViaPlaywright).not.toHaveBeenCalled();
+  });
+
  it("download rejects traversal path outside downloads dir", async () => {
    const base = await startServerAndBase();
    const downloadRes = await postJson<{ error?: string }>(`${base}/download`, {
@@ -570,6 +588,16 @@ describe("browser control server", () => {
    expect(pwMocks.downloadViaPlaywright).not.toHaveBeenCalled();
  });

+  it("download rejects absolute path outside downloads dir", async () => {
+    const base = await startServerAndBase();
+    const downloadRes = await postJson<{ error?: string }>(`${base}/download`, {
+      ref: "e12",
+      path: path.resolve("/", "pwned.pdf"),
+    });
+    expect(downloadRes.error).toContain("Invalid path");
+    expect(pwMocks.downloadViaPlaywright).not.toHaveBeenCalled();
+  });
+
  it("wait/download accepts in-root relative output path", async () => {
    const base = await startServerAndBase();
    const res = await postJson<{ ok?: boolean; download?: { path?: string } }>(